ee48174864ae0ef8c1e2da6b91b17c2f1df32195f69173adcc3013bf97c76ad5

Analysis

max time kernel
201s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
Size

2.2MB
MD5

03d64ab4dcf9d9d0f3f24472d237aee9
SHA1

a2894cf1bd5ef7fa1380e9ee3c2bedfb5081f737
SHA256

31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2
SHA512

0451f87f2a91d693b3c2ccb69621f66c62b876185965071ea0998c3f76865fc32471d47fa042fd6aaf1adfbff84119ca4a8bed05389258875d40a3f0cfcf4c23
SSDEEP

49152:pySU2VbRPrGNWnTvtchcL6yUw4gZ2oe7yUF30kWc0vNa9:pyW3rE2FHL759caE

Score

10^/10

discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Roaming\\IQManager\\iqmanager.exe"	install-773.exe

Executes dropped EXE 3 IoCs

pid	Process
2976	endpoint.exe
2844	install-773.exe
2804	iqmanager.exe

Loads dropped DLL 10 IoCs

pid	Process
2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
2844	install-773.exe
2844	install-773.exe
2844	install-773.exe
2844	install-773.exe
2844	install-773.exe
2804	iqmanager.exe
2804	iqmanager.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\iqmanager.exe = "C:\\Users\\Admin\\AppData\\Roaming\\IQManager\\iqmanager.exe silent"	install-773.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	iqmanager.exe
File opened (read-only)	\??\O:	iqmanager.exe
File opened (read-only)	\??\T:	iqmanager.exe
File opened (read-only)	\??\U:	iqmanager.exe
File opened (read-only)	\??\Y:	iqmanager.exe
File opened (read-only)	\??\I:	iqmanager.exe
File opened (read-only)	\??\M:	iqmanager.exe
File opened (read-only)	\??\P:	iqmanager.exe
File opened (read-only)	\??\R:	iqmanager.exe
File opened (read-only)	\??\A:	iqmanager.exe
File opened (read-only)	\??\B:	iqmanager.exe
File opened (read-only)	\??\H:	iqmanager.exe
File opened (read-only)	\??\K:	iqmanager.exe
File opened (read-only)	\??\N:	iqmanager.exe
File opened (read-only)	\??\S:	iqmanager.exe
File opened (read-only)	\??\W:	iqmanager.exe
File opened (read-only)	\??\E:	iqmanager.exe
File opened (read-only)	\??\G:	iqmanager.exe
File opened (read-only)	\??\J:	iqmanager.exe
File opened (read-only)	\??\Q:	iqmanager.exe
File opened (read-only)	\??\V:	iqmanager.exe
File opened (read-only)	\??\X:	iqmanager.exe
File opened (read-only)	\??\Z:	iqmanager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 7 IoCs

installer

resource	yara_rule
behavioral5/files/0x000a000000015f7a-11.dat	nsis_installer_2
behavioral5/files/0x000a000000015f7a-14.dat	nsis_installer_2
behavioral5/files/0x000a000000015f7a-15.dat	nsis_installer_2
behavioral5/files/0x000a000000015f7a-16.dat	nsis_installer_2
behavioral5/files/0x000a000000015f7a-17.dat	nsis_installer_2
behavioral5/files/0x000a000000015f7a-18.dat	nsis_installer_2
behavioral5/files/0x00050000000193ab-33.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2804	iqmanager.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2804	iqmanager.exe
2804	iqmanager.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2804	iqmanager.exe
2804	iqmanager.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	iqmanager.exe
2804	iqmanager.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2976	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	28
PID 2924 wrote to memory of 2976	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	28
PID 2924 wrote to memory of 2976	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	28
PID 2924 wrote to memory of 2976	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	28
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2924 wrote to memory of 2844	2924	31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe	29
PID 2844 wrote to memory of 2804	2844	install-773.exe	30
PID 2844 wrote to memory of 2804	2844	install-773.exe	30
PID 2844 wrote to memory of 2804	2844	install-773.exe	30
PID 2844 wrote to memory of 2804	2844	install-773.exe	30
PID 2844 wrote to memory of 2804	2844	install-773.exe	30
PID 2844 wrote to memory of 2804	2844	install-773.exe	30
PID 2844 wrote to memory of 2804	2844	install-773.exe	30

C:\Users\Admin\AppData\Local\Temp\31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe
"C:\Users\Admin\AppData\Local\Temp\31459fd8f4ca241e9f2eedcaddf848d8be9eaa76f05102b30872eedbe6c250d2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\ endpoint.exe
  "C:\Users\Admin\AppData\Local\Temp\ endpoint.exe"
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\ install-773.exe
  "C:\Users\Admin\AppData\Local\Temp\ install-773.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
    C:\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ install-773.exe

Filesize
420KB

MD5
0b729b84e6e05a84e189d46c7570b4cf

SHA1
ed2d4f461adbf53a31a10e49b09304495b84cabd

SHA256
4a91ac9dfcf72a265d3dcd8ee8d7b4ec1e1c61d1929590e0461860dd70b8d3f2

SHA512
d557f3e5417873c329171366872c885dfec2f95e793d5d3607804482515fdebad4fcf9338b5e21714fbc880bce3a14032d61bae22c6d66ed8fae1198edbf88fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ install-773.exe

Filesize
863KB

MD5
0cedf35492927a5c4b7cd77c3c9c4f91

SHA1
90cfe487e3a0ca714aad09052107198018e4c483

SHA256
8c92e2240049f2b8a2364a709fa4b31532ad11c87eee2eccecfbd424b0dbfaa5

SHA512
01605686da7b1db6757038f5b505038c3e4f36c14089b58179505f4d1e82f0839ce31eb192c21f471700dba55d80d03ddad9bc79c89e982a708f2d1dcd6e109d

Download Submit
C:\Users\Admin\AppData\Roaming\IQManager\languages\English.lng

Filesize
5KB

MD5
07085de5f288a4af975301d446b5e33b

SHA1
1bab1af24546e953ef72b3f91ce1703aa3053da3

SHA256
5026f9af6ce420f4c30853758d9b5e1b9f0042ded6026a925ee180aea661e872

SHA512
1f8e16f22cd88a8acd47cbfd5cec4e8b496194b350b106b97b4147d42ba959894e920a5535ec022ab57b7977c74b6ec9864e0344bfea5bf2e0df95c60fd29e54

Download Submit
C:\Users\Admin\AppData\Roaming\IQManager\settings.ini

Filesize
56B

MD5
3ae8f209e0341d4dc52b0f4eb7b1decc

SHA1
9770791194027ad3b13f8ea2d297d8bf84df8ca9

SHA256
3eaa412ebcfeccbdf1beedd13a195a218ddaabcca2daeff0478e1e8dbc43d127

SHA512
936acdcd6d0e654e6603fb93026ada987c367a35c5549f32a660fc6db564cf696abcdf42b7d1366dbc3bff8bba0a092f64ac3478ac54192ff994da5f04c0d68e

Download Submit
C:\Users\Admin\AppData\Roaming\IQManager\uninstall.exe

Filesize
291KB

MD5
89b1c8ed36c5b5a4cc89d6bac1d5042e

SHA1
1efe7b64f14b63304e8ebde42b127a5235cdfec9

SHA256
f191a7442c6c04b69d0ba43fa79f37092aa2ec837c944828a502cfa2965d1a08

SHA512
74095f394f3fe0293ff4c77e930eada63ed48dbac85bef8bd4d855c0375d37fc2646a9b7e24329430eb6920240f5175d24e12a110343131e44b359622917c529

Download Submit
\Users\Admin\AppData\Local\Temp\ endpoint.exe

Filesize
477KB

MD5
5187760567561bd39c55f4512762d816

SHA1
cc447b481e61b60f305e588a5338a0167dab55d6

SHA256
95c0f249a27fd47f06816bd1e5fa0e6df15bf1e7eb1a764bf5a003bb214e4bfe

SHA512
a38080f9aff8f2c170f769cabdee257a940bc7b9670f78913f861278e9a431829a7aa0887a4a62961d16fe06681e5f523bfbda15bfac0ece21abe85d00913138

Download Submit
\Users\Admin\AppData\Local\Temp\ install-773.exe

Filesize
1.7MB

MD5
702f9b16f1db834f62ce6e4e2cca0712

SHA1
bfbe99d3051bcd79d57aaec4fff466684fbf6614

SHA256
b9c6da2ac0ae606cff0ef777dd13d4d95086ab3a3c8d6fdd1304430306be30a6

SHA512
78ed4eaceccdf1ebdbf2f48634a41cf5abb060fd0967a2688bcfc0be242f093f012f587166b96f00fe1e03657f32582451eb64dd16c1f10097e52bb95f816020

Download Submit
\Users\Admin\AppData\Local\Temp\ install-773.exe

Filesize
750KB

MD5
f33f20cfc00ec606fc61c230181cb22a

SHA1
d461ae8059a8039c65f289aa7a20f84899003dc5

SHA256
92de10c39468f361ad3cdd3f7a313113f6da76e385532c3453ede50d580b8fbe

SHA512
f6873cae6bad284d430f08d83c7f0956adc270ed852c9b5321e8a39a9fb79988990c53e50787b3199e1ef55dfff6480b01f2e23a07f4dc8cbbfeddda05104630

Download Submit
\Users\Admin\AppData\Local\Temp\ install-773.exe

Filesize
350KB

MD5
fe0dd32a4042dcc0c8e0516e871930e9

SHA1
6964c8c337d77cc5159449f232c166e222870304

SHA256
0392057da6eef1656f0022e2b14d6f615317d4e6dffaea063d23373e27d2114a

SHA512
8e22a82f3567dd32fd386578e4835c58d092e3ba7e3fcbb98922bc6da51fddce1db31187f73945342fdc21b74c0de4aef27b4596a1d28e8a44d42e4adf9330a7

Download Submit
\Users\Admin\AppData\Local\Temp\ install-773.exe

Filesize
786KB

MD5
724f2af5c69d82311d3bd764b45d4f58

SHA1
a5ce551c1755f083c6c1733fa6d115422f89590e

SHA256
e3cbb611fad710434bd9937d7205ffd03b4e5f008a51b61a649889271bf1b1ac

SHA512
de6e0f11423a57a0e16dc3138e1e22e2c1a6e175a3e5b728b74c861ff0dc46f2a4ad26e013b26a72cf8cb0899863090cf4d5b1da64300c9e41507749cb8b2eb6

Download Submit
\Users\Admin\AppData\Roaming\IQManager\iqmanager.exe

Filesize
1.5MB

MD5
cf8d45a5c6b297b6eb17ad85029c0542

SHA1
e858fb3577d67e3de9f3b479d2235983ace53891

SHA256
9bc5c9fabf79ef190c4e860318d17a9d1ec976d6c8a12b351e1dc6a368178dfd

SHA512
14725042dc0122c2f291f383546ee75fbae33e95bf1f3da7dd51771f029beb232dd0f3a573af7f769dc11325df15cb2d3d3bc150c71336c0e21b41fa437a5454

Download Submit
memory/2804-47-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2804-51-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download
memory/2804-52-0x0000000000400000-0x0000000000599000-memory.dmp

Filesize
1.6MB

Download